Claroty researchers in 2020 conducted an extensive analysis of the OPC network protocol prevalent in OT networks worldwide. During that research, Claroty found and privately disclosed critical vulnerabilities in OPC implementations from a number of leading vendors that have built their respective products on top of the protocol stack. The affected vendors sell these products to companies operating in many industries within the ICS domain.
The vulnerabilities discovered by Claroty could be exploited to cause a denial-of-service condition on devices operating on industrial networks, as well as information leaks, and remote code execution. Our research identified weak spots in different OPC specification implementations within different components of the OPC architecture. These components include the OPC server, OPC gateway, and a third-party library implementation of the OPC protocol stack
In this report, we will explain the OPC protocol in depth, its architecture, and common usage in order to gain a deeper understanding of the impact of these vulnerabilities. We will also describe the vulnerabilities we uncovered, and explain the potential threat posed by attackers who exploit these vulnerabilities to take over OPC servers and gateways, and potentially harm manufacturing facilities and production lines.
CWE-284: Improper access control
A network-adjacent authenticated attacker may perform unintended operations
CVSS v3: 5.5
CWE-321: Use of hard-coded cryptographic key
A network-adjacent unauthenticated attacker may log in to SFTP service and obtain and/or manipulate unauthorized files
CVSS v3: 5.4
CWE-522: Insufficiently protected credentials
A network-adjacent unauthenticated attacker may obtain sensitive information such as a username and its password in the address book
CVSS v3: 6.5
CWE-78: OS command injection
A network-adjacent authenticated attacker may execute an arbitrary OS command with root privileges by sending a specially crafted request
CVSS v3: 8.0
CWE-306: MISSING AUTHENTICATION FOR CRITICAL FUNCTION
The affected product is vulnerable to an attacker being able to use commands without providing a password which may allow an attacker to leak information.
Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, impersonate and send false information, or bypass authentication.
Elvaco has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of M-Bus Metering Gateway CMe3100 are invited to contact Elvaco customer support for additional information.
CVSS v3: 7.5